What is Digital Rights Management (DRM)?

Digital Rights Management (DRM), also sometimes called ECMS, or electronic copyright management systems, are technologies designed to automatically manage rights in relation to information. This can include preventing copyright works and other information from being accessed or copied without authorization and establishing and enforcing license terms with individuals. DRM is a form of continual protection that protects works and manages rights at all times, no matter where the works are located or who has possession of them. DRM attempts to promote authorized use of a copyright work, in part by precluding the possibility of copyright infringement. DRM systems comprise a number of technological components, which can include encryption, a surveillance mechanism, databases of works, owners and users, license management functionality and technological protection measures (TPMs).

Why are copyright owners interested in DRM?

New technological advances such as the Internet can make it easier to copy and distribute digital works. Potentially, these advances could greatly reduce copyright owners' costs of distributing copyright works. However, some copyright owners are reluctant to disseminate digital works because they are afraid that their copyright works will be immediately and widely infringed. This is where DRM comes in. DRM promises copyright owners a high degree of control over how works are accessed and used, even after the works are disseminated to users. Thus, copyright owners are interested in DRM because it will help them reduce online copyright infringement. However, there are additional motivations for copyright owners to distribute DRM-protected works. For example, DRM can potentially allow copyright owners to require users to pay for each access and use of a work they wish to make. DRM also possesses the ability to observe and report on usage characteristics, which can provide the distributor of the DRM with unique marketing information not otherwise available. This could give rise to new business models and to a continual revenue stream derived from copyright works. Note, however, that there is no essential connection between DRM and copyright: DRM may be deployed in respect of any content, regardless of the copyright status of the content (i.e., public domain materials are not subject to copyright), and may report to persons other than the copyright owner.

What is the status of DRM development and implementation?

There are a number of well-known DRM-like systems in use including Apple's FairPlay and Microsoft's Windows Media DRM. While there are numerous DRM developments underway, DRM development to date has generally suffered from a lack of uniform standards and lack of interoperability. DRM systems developed to date have tended to be proprietary systems which require owners and users to "buy into" a particular technology or device.

How does the law treat DRM?

DRM systems can be hacked and circumvented. There are a number of high-profile examples of this, including DeCSS protection for DVDs and Apple's FairPlay. Because of this threat of circumvention, a number of countries have signed on to two treaties regarding the establishment of global anti-circumvention laws - the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. Some countries have passed laws implementing these WIPO treaties - laws that prohibit the circumvention of technological protection measures that form a central component of DRM systems. The most notorious example of such legal protection is the Digital Millennium Copyright Act (DMCA) in the United States. In 2004, a Parliamentary Committee recommended that Canada pass laws to implement the WIPO treaties (see the Bulte Report below). Amendments to Canadian legislation were proposed in 2005 under the Martin government but died with fall of that government. It remains to be seen what will happen next, although it is virtually certain some changes will be forthcoming.

Note that others have observed that Canada already has a variety of laws that potentially apply to unauthorized tampering with DRM, and consequently question the need for an additional layer of protection. Copyright law will still apply to any infringing activities that occur after circumventing TPMs, while the principles of contract law apply to anti-circumvention provisions in agreements with the consumer.

Why is legal protection of DRM controversial?

Legal protection of DRM is controversial for a number of reasons. DRM can be designed and used in ways that raise serious concerns. For example, DRM systems can limit public access to works that are freely available in the public domain, deny users the ability to make fair uses of copyright works (for research and other purposes), jeopardize the long-term preservation of information (as technologies become obsolete), frustrate attempts to improve the interoperability of different computer technologies, and infringe individual privacy (by tracking usage of the materials). DRM can also conflict with consumer expectations, especially when consumers are not warned about the presence of DRM through clear and conspicuous labeling. DRM and legal protections for DRM can have a corresponding negative impact in the areas of free speech, open source software, reverse engineering, network security, price discrimination and competition law. In the United States, the DMCA has been observed to stifle important research and technological innovation in a number of areas.

How does DRM affect consumer rights and expectations?

DRM can fundamentally alter consumers' ability to access and use goods that they purchase, in ways that conflict with their reasonable expectations. When a consumer purchases a book in a bookstore, neither the owner of the bookstore nor the owner of copyright in the book will be able to know or control how or where the consumer uses that book. DRM fundamentally changes this dynamic by forcing an ongoing relationship between the copyright owner and the user and enabling the copyright owner to place limits on the use of an item even after it is purchased. DRM could limit access and use to a single computer or to certain technologies, and to automatically prohibit uses that are not permitted by the copyright owners' license. For instance, if DRM were applied to the book in the example above, the purchaser would not be permitted to lend the DRM-protected book to a friend, unless the license specifically allowed them to do so.

Thus, DRM alters the distribution of works in a manner that in some ways resembles the licensing method that has been used to distribute computer software for years. Under this method, unlike traditional purchases of copyright works like movies, music and books, users do not actually purchase the content - rather, they purchase only certain piecemeal rights in relation to works. This also has an impact on the related concept of fair (legal) use. DRM does not consider or recognize the purpose for which an individual may want to access or copy a work. In other words, there is currently no way for a DRM system to know whether an individual is infringing or making a fair use of the work by, for example, copying for news reporting or private study. Consequently, consumers are effectively restricted to whichever rights the copyright holder wishes them to have. These rights are not necessarily the same as those that individuals have under the Copyright Act, or with respect to non-digitized copyright works.

DRM systems developed to date could have a dramatic impact on personal privacy. DRM's surveillance capabilities allow copyright owners to gather and analyze detailed information about users' reading, viewing and listening habits. Importantly, these activities are often ones that are typically performed in the privacy of users' homes where they would have no expectation that they are being watched. Each discrete access or use that a user makes (or perhaps even attempts to make) in relation to a work can be recorded by a DRM system. For example, among other things, copyright owners might be able to know how you paid for a song online, how many times you have listened to it, whether you replayed any parts of it more frequently, whether you copied (or attempted to copy) all or part of the song, and whether you sent (or tried to send) the song to a friend. This kind of surveillance and data gathering can invade privacy in and of itself. However, DRM may also invade privacy in the sense of reducing the scope of intellectual freedom. In other words, DRM may affect privacy because knowledge that their habits are being monitored may cause many users to avoid accessing or using certain forms of content in the privacy of their homes.

A study CIPPIC conducted in the fall and spring of 2006/07 substantiated these concerns. Our study, titled Digital Rights Management and Consumer Privacy: An Assessment of DRM Applications Under Canadian Privacy Law, analyzed the behaviour of 16 different digital services and products that utilized DRM, and compared that behaviour with the disclosures of the organizations distributing the DRM. We observed undisclosed tracking of usage and surfing habits, and unexplained communications with third parties including marketing companies. We also found that the organizations using these technologies often failed to comply with basic requirements of Canadian privacy law.

Privacy authorities have been vocal with respect to their concerns with the privacy implications of DRM. The Office of the Privacy Commissioner of Canada has stated that it "would oppose legislation or legislative amendments that conferred unjustified privacy-invasive surveillance powers upon digital copyright holders." The Privacy Commissioner of Canada, the Information and Privacy Commissioner of Ontario, the Information and Privacy Commissioner of British Columbia and the Information and Privacy Commissioner of Alberta each wrote to the Ministers responsible for copyright policy expressing their concerns with DRM, and requesting that they be consulted prior to the enactment of anly law privileging DRM. Other jurisdictions have voiced similar concerns. For instance, the European Union (EU) Copyright Directive codifies recognition that DRM systems can have an impact on privacy where DRM processes data about consumption patterns and traces online behaviour. The EU Copyright Directive provides that DRM should be designed in accordance with the EU Data Protection Directive.

How does DRM affect the public domain and libraries and archives?

DRM poses a serious threat to the ability of the public to access and use copyright works in the public domain. DRM conflicts with copyright in this way because under copyright law, copyright protection has a limited term. After the copyright term expires, the work enters the "public domain" and the public is free to access and use the work. Because of the limited access afforded by DRM, it has the potential to protect a work indefinitely, long after copyright in the work might have expired. This permanent lock-down of the public domain runs contrary to the principle of balancing the interests of creators and of the public in copyright law. Similarly, DRM also threatens access to many works over the long-term because data stored in proprietary DRM formats (whether it be songs, software, electronic books or other data) are at much greater risk of being lost once the playback media is no longer available, locking away the protected data forever. Indeed, this has already happened, according to Dennis Dillon, a librarian at the University of Texas in Austin, who states that information bought and paid for has since become inaccessible. Allowing libraries to circumvent DRMs, as recommended by some library associations, is likely a poor substitute for information accessibility. One is hard-pressed to imagine library associations employing armies of experts dedicated to defeating DRMs on material to be archived. Under DRM, libraries and archives of the future may be filled with irretrievable knowledge. The same holds true for individuals' collections of digital copyright works. In September 2004, a vice-president of Warner Music Group stated that, because of a lack of interoperability in DRM-related services, "[n]ext year, you'll start seeing people with potentially large libraries of content that won't play with their devices."